Continuous Auditing

1
Continuous Auditing Continuous Monitoring An
Integrated Approach
Victoria Chapter ISACA May 23, 2007 John Verver
CA, CISA, CMCVice President, Product Strategy
AlliancesACL Services Ltd.
2
The Need for Continuous Auditing and Monitoring

• Continuous auditing
• Discussed for many years
• Increasing extent of implementation, but not
  widespread
• SOX Sec 404 and other regulatory requirements now
  driving the need to
• Efficiently and cost-effectively sustain controls
  assessment and testing efforts
• Determine on a timely basis when control
  deficiencies occur
• Quantify the impact of control deficiencies
• Improve effectiveness of controls
• Gain assurance over effectiveness of controls

3
IIA 2005 Global Technology Audit Guide 3

• Continuous Auditing Implications for Assurance,
  Monitoring and Risk Assessment
• Key concepts
• Relationship of Continuous Auditing, Continuous
  Monitoring and Continuous Assurance
• Areas for the Application of Continuous Auditing
• Implementing Continuous Auditing
• Examples
• Standards
• Continuous Auditing Self Assessment

4
Continuous Auditing

• Shift from traditional approach of periodic
  cyclical audit processes
• Method used to automatically perform control and
  risk assessments on an ongoing basis
• Technology is key

5
Traditional Role of Technology in Controls
Assessment Testing

• Auditors use data analysis to test internal
  controls by
• Examine 100 transactions to determine if
  evidence of an exception to a control rule
• Examine 100 transactions to determine if there
  is an indication of events occurring for which no
  control rule has been established
• Data analysis also used successfully to test
  controls not directly evidenced by financial
  transactional data
• Review of ERP access / authorization tables to
  determine inappropriate Segregation of Duties
• Security log reviews

6
Limitations of Traditional Audit Approach

• Retrospective view
• Analysis frequently occurs long after transaction
  has taken place
• Too late for action
• Lack of timely visibility into control risks and
  deficiencies
• Problems escalate, increasing business risk

The SolutionIndependently test all transactions
for compliance with controls at, or soon after,
point at which they occur
7
Continuous Controls Monitoring

• Process performed by management to determine
  whether policies and controls are operating
  effectively
• Establishes control objectives and assurance
  assertions and uses automated tests to identify
  activities and transactions that fail to comply
  with controls
• Allows management to fix control problems on a
  timely basis improves controls and improves
  operational performance
• Technology is key

8
Continuous Monitoring Model
Data
Data
Data
Access transactional data from disparate sources
Transactional Data
Test transactional data against established
internal control rules (COSO-based) and
transactional profiles
Controls Compliance Rules
Alerts
Significant Control Breaches
Immediate notification of critical exposures
Historical and statistical transactional profiling
Financial Business Unit Managers Audit
Findings
Suspect Transactions
Transactions detailed for further analysis
Management Audit Action
Investigations, recoveries, and improved controls
and procedures
9
CA and CCM An Integrated Approach

• Many of techniques used in CA and CCM similar
• How can both approaches be integrated?
• How does this affect roles and responsibilities
  of audit and management?

10
CA and CCM An Integrated Approach
11
Relationship of Continuous Auditing/Monitoring/Ass
urance

• Role of continuous auditing dependent on
  managements role in continuous monitoring of
  controls
• Inverse relationship the greater the role of
  management, the less of a direct role of
  internal audit

• True continuous assurance
• Depends on effective monitoring by management of
  internal controls and Audits independent
  assessment of that function

12
Scope and Applicability of CCM and CA

• Any controls area where
• Data available
• Control rule can be established
• Examination of data evidence of controls
  effectiveness
• Business/financial process transactions
• Financial, operational and regulatory controls
  within transactional process areas
• Use COSO control objectives and audit assertions
  to determine rules to be tested
• System controls
• Access and authorization tables (SOD)
• Access and security logs
• System configuration settings
• Use CobIT control objectives

13
Implementation Practicalities

• Timely data access
• Minimizing impact on systems operational
  performance
• Defining appropriate analytics
• Setting appropriate thresholds for exceptions
• Developing suitable scoring / weighting mechanism
  to prioritize exceptions
• Reiterative process to minimise false positives
• Management of results
• Remediation process

14
The Result

• Improved efficiency and effectiveness of
  risk/control assessments
• Timely determination whether controls in
  application and financial reporting systems are
  operating effectively
• Rapid identification of specific deficiencies and
  anomalies
• Independent assurance of integrity of
  transactions
• Reduction in errors and fraud
• Reduction in costs and revenue leakage
• Quantification of control deficiencies
• Increased scope of audit activities
• Documented evidence for internal and external
  auditors

15
Achieving and Maintaining Balance
Controls are at the core of business integrity
and efficiency. Yet bullet-proof control systems
are not realistic. Which regulations to
address ? What controls are necessary ? Who
should manage controls ? Are controls
effective The truth remains in the transactions.
?
16
The Limits of Control Automation
Preventive controls

• Automated
• Monitoring SAP transactions across multiple
  instances to identify duplicate payments
• Combination
• Monitoring transactions to identify the integrity
  of the PO approval process
• Manual
• Sub-Ledger / Ledger reconciliation process

17
CCM and COSO Framework
Control Assertions

• Authorization
• Accuracy
• Completeness
• Validity
• Efficiency Effectiveness
• Segregation of Duties
• Regulatory Compliance

COSO FRAMEWORK
18
Purchase-to-Payment Process Sub-Processes and
Activities
REQUISITIONS
PURCHASING

• Enter/Create
• Approve
• Order Goods
• Adjust

• Enter/Create
• Approve
• Order Goods
• Adjust

RECEIVING
PAYMENTS
PAYABLES

• Enter/Create
• Approve
• Match

• General
• Distribute
• Void

• Enter/Create
• Approve/Post
• Adjust
• Match
• Create/Approve Payment Vouchers
• Setup/Approve Recurring Vouchers

19
Define Business Process Overview
Purchase-to-Payment Cycle Activities

• 2) Requisitions
• Entry / Create
• Approve
• Order Goods
• Adjustments

• 3) Purchase
• Entry / Create
• Approve
• Order Goods
• Adjustments

• 1) Vendor Maintenance
• Create
• Modify
• Delete
• Employees

• 5) Payables
• Entry / Create
• Approve / Post
• Adjustments
• Matching
• Create Pmt Vouchers
• Approve Pmt Vouchers
• Setup Recurring Vouchers
• Approve Recurring Vouchers

• 4) Receiving
• Entry / Create
• Approve
• Matching

• 6) Payments
• Generate
• Distribute
• Void

20
Define Control Objectives

• Purchase
• Entry / Create
• Approve
• Order Goods
• Adjustments

Activity
Control Objective
Assertion
Create Purchase Order
To ensure all critical data is captured.
Completeness
To ensure all data entered is valid.
Validity
To ensure that only approved POs are issued.
Authorization
To ensure POs are only entered once.
Accuracy
To ensure that POs are within approved
Authorization
employee purchasing limits
To ensure no purchases are made from companies or
Regulatory
individuals listed on OFAC terrorist lists
21
Perform Risk / Impact Ranking

• Purchase
• Entry / Create
• Approve
• Order Goods
• Adjustments

Control Risk Ranking
Business Impact
Overall(ef)
Activity
Control Objective
Transactional
Create Purchase Order
0
To ensure all critical data is captured.
N
To ensure all data entered is valid.
Y
3
3
9
To ensure that only approved purchases are issued.
3
3
9
Y
To ensure POs are only entered once.
2
3
6
Y
To ensure that POs are within approved employee
purchasing limits
Y
6
2
3
To ensure no purchases are made from companies or
individuals listed on OFAC terrorist lists
Y
9
3
3
22
Summary Continuous Auditing and Monitoring
Business Performance Optimization
Compliance Requirements
Sustainable process for compliance
Bottom-line results
Internal ControlsEffectiveness
Cost-effective risk mitigation
Reduced time for reporting/signoff
Operational efficiencies
Streamlined internal
external audit
Fraud reduction
Cost savings
Effective internal controls across the business
support compliance while enhancing business
performance.
23
Questions?
John Verver, CA, CISA, CMC Vice President,
Product Strategy Alliances ACL Services
Ltd 1-604-669-4225 john-verver_at_acl.com www.acl.co
m